The attack is the latest in a devastating run of ransomware infections that have disrupted school districts, businesses and cities across the U.S. The malware encrypts files with a key held by the attackers, who usually make ransom demands in the virtual currency bitcoin (see Texas Says 22 Local Government Agencies Hit by Ransomware).

The Flagstaff Unified School District discovered the ransomware infection on Wednesday morning, according to Zachary Fountain, the district's director of communications. He gave a phone interview with local broadcaster ABC 15 on Thursday.

By 3 p.m. Wednesday, the district made the decision to shut down internet access at all of its facilities to contain the infection, Fountain said. The district has 15 facilities that serve 9,600 students, according to its website.

Flagstaff's school district says classes would not be held Friday as it recovers from a ransomware attack.

Fountain said the district made the decision to cancel classes for two days in deference to school security. The lack of internet access means the district would not have access to the systems it needs to operate normally, hampering its ability to quickly react if something happened on its campuses, Fountain said.

"We understand that it [cancelling school] makes a huge impact to our families by making this decision," Fountain says. "We don't take it lightly, but we thought this was the best course forward.

"Progress was made today in securing critical FUSD systems, but unfortunately, work will need to continue through the weekend to ensure that students can return to school on Monday."

On Monday, the district's website posted a message that classes would resume today.

Electronic Locks

Fountain said he couldn't answer a question about what systems the ransomware disrupted but that an investigation was underway by third-party cybersecurity experts. It doesn't appear personally identifiable information was compromised, Fountain said, although an investigation is continuing.

The district tweeted about its decision to close school. In response, Sandy Davis - an associate professor of English education at Northern Arizona University - writes: "The electronic door locks (accessible with teacher ID cards) are part of the system that has been compromised, which makes safety a huge issue."

The electronic door locks (accessible with teacher ID cards) are part of the system that has been compromised, which makes safety a huge issue.

Schools across the U.S. have been upgrading their security because of shooting incidents. In 2012, Flagstaff's district issued $20 million in bonds to fund infrastructure improvements. A document shows that those upgrades include surveillance cameras, interior door locks and outside door access controls.

The document doesn't describe whether those systems are internet-connnected, but Fountain's comments point to that potential problem: If the network is down, the doors and security cameras may not function, a drawback of the increased reliance on network-connected devices.

Defending Schools

Ransomware has proven to one of the most menacing cybersecurity threats for cities, schools and hospitals. While awareness around ransomware is arguably at an all-time level, the ease with which the attacks can be launched and low chances of being caught has made it an extremely profitable criminal enterprise.

The primary advice for organizations is to be ready before an infection by ensuring backups are up-to-date and are segregated from the network. That enables a quick recovery, but also requires a substantial investment. Long procurement cycles and tight budgeting by cities and schools means those costs may be pushed down the line.

But school districts are capable defending themselves, writes David Kruse, a technology risk consultant and cyber risk practice leader with Hausmann-Johnson Insurance in Madison, Wisconsin.

"By implementing proactive security processes that include employee awareness training and a documented and repeatable set of security controls, districts can prevent many of the most common types of attacks including ransomware," Kruse writes.

Paying Ransoms

Although the FBI has recommended that victims do not pay ransoms, it's often the easiest way to recover from an attack. Although morally vexing, paying ransoms has become an accepted practice when weighing the recovery cost and network down time (see: Please Don't Pay Ransoms, FBI Urges). The FBI has also published a ransomware guide for CISOs.

Lake City, Florida, which was hit by ransomware in June, approved paying a ransom through its insurer, Beazley, ProPublica reports. The city paid a $10,000 deductible, while Beazley paid the balance of the $460,000 ransom. Lake City officials tell ProPublica that Beazley recommended paying the ransom, as recovering from the attack would have exceeded the city's $1 million coverage limit.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;